“I love a good company culture, and hardly anybody has a good company culture, no matter how well we talk about it.”

Sitting at Infosecurity Europe in London with Thom Langford, who is still in his first year as Rapid7’s EMEA CTO, he is full of praise for his new employer. “It's a commercial enterprise, of course, but actually you've got people who are really passionate about the impact it has and why it's important, and that for me makes a lot of difference,” he says. “I think really builds and comes across in who we are as an organisation.”

Langford is an established security leader via roles at companies such as Sapient and Publicis Group. Now, whilst Rapid7 is a tech company with tech solutions, his role is more focused on the CISO as in who they are as a person, and as a professional, and how they do their job, and how Rapid7 supports that: either through technology, or through Langford sharing his expertise.

“Because frankly, we're a technology company trying to help a CISO address a business problem,” he says. “CISO's just addressing a technology or a security problem? That’s great, we can talk until we're blue in the face, but that's not going to allow them to fix the overarching issues.

“it's not going to fix those fundamental flaws that they are facing, because why are people not addressing vulnerabilities properly? Probably because they don’t have the investment to replace legacy systems. They don't have the expertise on hand to understand to see an expiry date on their systems, or anything like that, have those processes in place. Technology will make your processes more efficient. You've got to have the fundamental process in place in the first instance.”

Strategy Scope

At the time of talking, SC UK had just attended a panel session where the subjects of cyber hygiene, vulnerability management and forming a cybersecurity strategy. Asking Langford what his thoughts were on forming a strategy, he likened it to a “sniper aiming at something.”

He says: “The strategy is to get from here to there. Our journey will take us like this, but each time we are drifting away, we're focusing on something else. We think that hang on, this is not core to what we're doing; this is not core to vulnerability management; this is not core to identifying every user in our environment. You can of course correct [yourself] and go back to it.

“Your end goals may shift over time and that's alright to see shifts, you just need to repoint the sniper's rifle back at it. The strategy helps define where you are going and why you're doing it and then focus on things like vulnerability management.”

Threat Intelligence

On the theme of vulnerability management, Langford said that is still true to Rapid7’s core, as well as community-based products supported and maintained by the community for the community. Supporting this, Rapid7 launched its Intelligence Hub earlier this year to address the needs of threat intelligence - which he says is all too often about drinking from the fire hose.

He says too many threat intelligence systems are “filled with indicators of compromise that include dual use tools that you pour that into your system, your dashboards light up like a Christmas tree, and then before, you know, it's like ‘why am I chasing down VNC and TeamViewer here? Those are tools I use in my environment!’ ”

He says too much threat intelligence processing tells you that you’re riddled with vulnerable software, so the idea of its Intelligence Hub is to take the feeds and rate them both automatically and manually based on severity. “With the human in the loop, we will look at the really important stuff, add context, add industry and add timeliness of it. We will add metadata, and information on those vulnerabilities, and add decay modelling to it: three months go by and it's irrelevant intelligence for you, and our decay models allow us to take the noise away.”

Langford says too much of the time, threat intelligence is stuff that is irrelevant with no context. “I think Intelligence Hub is unique at the moment,” he says. “Okay, there's many tools out there do this. The difference is not only are we doing it for you, the paying customer, we're doing it with the support of the community with probably the largest research group in most compatible or dedicated cybersecurity vendors in an independent way and a transparent way, for the greater good. We're doing that, because it's the right thing to do.”

Business Security

Concluding, from his position and from his CISO conversations, are those security leaders being taken more seriously now as we see headlines on incidents and the cost of an attack? He says the larger, more mature organisations are seeing this, but “it's still not anywhere near where it should be.”

He concluded by saying things are better, but “we've taken one step out of a hundred.” He says the CISOs themselves are getting more savvy at the top end, as elsewhere they're still kind of like ‘I just run a team of three people, and you know, two of them are analysts, and you know, one is part time?.’ You can't get business savvy very easily in that kind of environment.”

Dan Raywood

Dan Raywood is a B2B journalist with 25 years of experience, including covering cybersecurity for the past 17 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.

He has spoken at events including 44CON, Infosecurity Europe, RANT Forum, BSides Scotland, Steelcon and the National Cyber Security Show, and served as editor of SC Media UK, Infosecurity Magazine and IT Security Guru. He was also an analyst with 451 Research and a product marketing lead at Tenable.